docker-kong-oidc icon indicating copy to clipboard operation
docker-kong-oidc copied to clipboard

Published 20 hours ago verified publisher icon revomatico

The session is valid for multiple realms, how to avoid that?

Open carlosrmendes opened this issue 3 years ago • 3 comments

I'm running into an issue where a session created on one realm is not restricted from accessing resources on a different realm for which the session should not be valid.

I've setup kong routes aligning with two keycloak realms like so:

/realm1/app/ /realm2/app/

Each realm has it's own OIDC client with unique keys/ name /client secret. I then add the related kong-oidc to each route.

Accessing /realm1/app I'm redirected properly to the realm1 login, and similarly for realm2. However, if I'm logged into realm1 with an active session, I can still access /realm2/app. Looking at the app logs, the active session when accessing realm2 is still for realm1.

Am I missing some crucial setting?

carlosrmendes avatar Oct 03 '21 23:10 carlosrmendes

I am not sure the python method you used handles session cookies like a browser. The session cookie name is oidc_session by default, can be changed by setting Kong runtime env KONG_X_SESSION_NAME=oidc_session It should be bound to domain/path.

Did not use the plugin so far in the way you are trying. Programatically I would not use it like that unless you want to simulate user behavior in user-agent (browser).

In the browser, accessing resources from realm1 will redirect to login the first time. If in the same browser session I am accessing a resource from realm2, will prompt me again to login, to the 2nd realm. We actually have this use case. and works as expected

cristichiru avatar Oct 05 '21 12:10 cristichiru

hi @cristichiru , first of all thanks for your concern! 🙂

Forget the python part... no I'm using the kong helm chart, that deploy kong-ingress-controller and using the image revomatico/docker-kong-oidc:2.6.0-1.

Then I create two oidc plugins, for two different realms, master and myrealm:

kind: KongClusterPlugin
apiVersion: configuration.konghq.com/v1
metadata:
  name: oidc-master
  annotations:
    kubernetes.io/ingress.class: kong
plugin: oidc
config:
  client_id: master-client
  client_secret: xxxxxxx-xxxxx-xxxxxx-xxx-xxxxx
  realm: master
  scope: openid
  discovery: https://my.example.com/auth/realms/master/.well-known/openid-configuration
  introspection_endpoint: https://my.example.com/auth/realms/master/protocol/openid-connect/token/introspect
---
kind: KongClusterPlugin
apiVersion: configuration.konghq.com/v1
metadata:
  name: oidc-myrealm
  annotations:
    kubernetes.io/ingress.class: kong
plugin: oidc
config:
  client_id: myrealm-client
  client_secret: xxxxxxx-xxxxx-xxxxxx-xxx-xxxxx
  realm: myrealm
  scope: openid
  discovery: https://my.example.com/auth/realms/myrealm/.well-known/openid-configuration
  introspection_endpoint: https://my.example.com/auth/realms/myrealm/protocol/openid-connect/token/introspect

then I enable each oidc plugin on the respective ingress (route):

kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: master-ingress
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/protocols: https
    konghq.com/plugins: oidc-master
spec:
  rules:
  - host: my.example.com
    http:
      paths:
      - path: /master
        pathType: ImplementationSpecific
        backend:
          service:
            name: master-svc
            port:
              name: http
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: myrealm-ingress
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/protocols: https
    konghq.com/plugins: oidc-myrealm
spec:
  rules:
  - host: my.example.com
    http:
      paths:
      - path: /myrealm
        pathType: ImplementationSpecific
        backend:
          service:
            name: myrealm-svc
            port:
              name: http

Checking on kong api, I can confirm that both plugins are enabled on each route. Accessing on both routes, without an active session, I'm being redirected to the correct realm login page, but, if I'm logged into master realm with an active session, I can still access /myrealm endpoint, without being prompt to login on realm myrealm.

So:

In the browser, accessing resources from realm1 will redirect to login the first time. If in the same browser session I am accessing a resource from realm2, will prompt me again to login, to the 2nd realm. We actually have this use case. and works as expected

Is not true in my use case.

carlosrmendes avatar Oct 07 '21 15:10 carlosrmendes

Just a note, this behavior is occurring both with session_storage: cookie and session_storage: memcache

carlosrmendes avatar Oct 07 '21 16:10 carlosrmendes